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Abstract 



MACE is a program that searches for finite models of first-order statements. The statement to 
be modeled is first translated to clauses, then to relational clauses; finally for the given domain size, 
the ground instances are constructed. A Davis-Putnam-Loveland-Logeman procedure decides the 
propositional problem, and any models found are translated to first-order models. MACE is a useful 
complement to the theorem prover Otter, with Otter searching for proofs and MACE looking for 
countermodels. 



1 Introduction 



MACE (Models And CounterExamples) is a program that searches for small finite models of first-order 
statements. It is frequently used along with our first-order theorem prover Otter JjJ], with Otter 
searching for proofs and MACE looking for countermodels. The two programs accept almost the same 
language, so the same input file can usually be used for both programs. 

MACE has been used for many applications including quasigroup existence problems [J|], ortholat- 
tice problems [0], and lattice and Boolean algebra problems [f7], 0]. Other successful programs that look 



for finite models of first-order statements are SEM [ ]1 lf j and FINDER Ql OQ - A related class of programs 
can produce finite models when the search for a refutation fails. Examples of these are SATCHMO [§] 
and MGTP[(T]]. 

At its core, MACE has a Davis-Putnam-Loveland-Logeman propositional decision procedure named 
ANLDP. ANLDP can be used directly to decide propositional (SAT) problems given in conjunctive 
normal form (see Section |8]). Section || gives differences between MACE 2.0 and previous versions. 
The MACE Web site is http : / /www . mcs . anl . gov/AR/mace. 



2 A Little Motivation 

Say you've just invented group theory by writing down the following three axioms, 

e * x = x 
g{x) * x = e 
(x * y) * z = x * (y * z) 

and you are wondering whether all groups are commutative. You prepare the following input file, named 
group . in. 
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set (auto) . 
list (usable) . 

e * x = x . 

g (x) * x = e . 

(x * y) * z = x * (y * z) 

a * b != b * a. 
end of list . 



Now you give the input file to Otter to search for a proof (actually a refutation). 



and to MACE to look for a countermodel (actually a model) of size 4, as follows. 



Both programs fail immediately. But looking at the Otter output makes you suspect that not all groups 
are commutative, so you go forward, looking for larger countermodels. The command 



succeeds, and the output file contains the following noncommutative group of order 6. 



Model #1 at 1.13 seconds: 



I 1 2 3 4 5 

1 2 3 4 5 

1 3 2 5 4 

2 4 5 1 3 

3 5 1 4 2 

4 2 5 3 1 

5 3 4 1 2 



1 2 3 4 5 
1 2 4 3 5 



Hmmm, very interesting: I wonder what happens if we add x * x = e to our theory. 



3 How to Tell MACE What to Do 



Three kinds of input determine how MACE works. First, the clauses or formulas in the input file specify 
the theory for which you seek a model. Second, special commands in the input file put constraints on 
the models. Third, command-line options give general constraints on the search. 
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3.1 The Formulas 



MACE reads the input (from stdin) and takes formulas and clauses from the lists usable, sos, 
demodulators, and passive as its basic theory.^ Like Otter, MACE immediately transforms any 
first-order formulas to clauses. 

MACE is a bit more restrictive than Otter in the language it accepts, and it interprets some symbols 
differently. See Section |J 



3.2 Constraints in the Input 

Constraints are specified in an optional list mace_constraints in the input file.0 (If you give Otter 
an input file containing a mace.constraints list, Otter ignores it.) Two kinds of constraint are 
accepted: assignments for the models and properties of relations or functions. Here is an example list 
that shows all of the types of constraint. 



list (mace_constraints) . 

assign (e, ) . 

assign (g (2) , 1) . 

assign (3*4, 2) . 

assign (P (1) , T) . 

assign (Q (0, 3) , F) . 

property ( same (_,_) , equality). 

property ( It (_,_) , order). 

property (g (_) , bijection). 

property (_*_, quasigroup) . 
end_of_list . 



The assignments simply give function values or relation values for particular members of the domain.^] 
Members of the domain are always named 0, 1, . . . , n — 1, where n is the domain size. The Boolean 
constants (relation values) are named T and F. Note that assigning values to constants can also be done 
with the -c command-line option (see the next subsection). The following properties of function and 
relation symbols can be specified in the mace.constraints list. 



equality 

This applies to binary relation symbols. It is necessary only if a nonstandard equality symbol 
is being used, because any binary relation recognized by Otter as an equality symbol is also 



recognized by MACE as an equality symbol. See Section 4.2 



order 

This applies to binary relation symbols. It is necessary only if a nonstandard order symbol is being 
used. MACE (but not Otter) automatically recognizes binary < as an order relation. The "order" 



1 One can argue that the hot list should also be considered as part of the basic theory, because Otter uses the hot list to 
make inferences. MACE ignores the hot list, however, because hot list clauses almost always occur also in usable or sos, and 
MACE suffers if it gets duplicate clauses. I suppose MACE could get around this by doing a subsumption check. 

2 Previous versions of MACE used the pass ive list for constraints. 

Why not place assignments in with the clauses that specify the theory? This can be done, but such assignments might not 
make sense if the input is also being used for Otter. 
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is the obvious order on the members of the domain: 0<l<...<n — 1. See the example input 
files ordered_semi . in and cd . in included in the MACE distribution package. 

bi jection 

This applies to unary function symbols. The list of function values is a permutation of the domain. 

quasigroup 

This applies to binary function symbols. If you write down the table for a finite quasigroup, each 
row and each column is a permutation of the domain. 

3.3 Command-Line Options 

-n n This gives the starting domain size for the search. The default value is 2. If you also give 
an -N option, MACE will iterate domain sizes up through the -N value. Otherwise, MACE 
will search only for the -n value. For example, 



Options 


Search 


-n4 


4 


-N6 


2,3,4,5,6 


-n4 -N6 


4,5,6 



-N n This gives the ending domain size for the search. The default is the value of the -n option. 

- c This says that constants in the input should be assigned unique elements of the domain. If 
the number of constants in the input is greater than the domain size n, the first n constants 
are given values, and the rest are unconstrained. This is a useful option because it elimi- 
nates lots of isomorphism from the search. But it can block all models, especially when 
used with other constraints. 

-p (Lower case.) This option tells MACE to print models in a nice tabular form as they are 
found. This format is meant for human consumption. 

-P (Upper case.) This option tells MACE to print models in an easily parsable form. This 
format has an Otter-like syntax and can be read by most Prolog systems. 

-I This option tells MACE to print models in IVY form. This format is a Lisp S-expression 
and is meant to be read by IVY [§], our proof and model checker. 

-m n This tells MACE to stop after finding n models. The default is 1 . 

-t n This tells MACE to stop after about n seconds. The default is unlimited. MACE ignores any 
assign (max_seconds, n) commands that might be in the input file. Such commands 
are used by Otter only. 

-k n This tells MACE to stop if it tries to allocate more than n kilobytes ofmemory. The default 
is 48000 (about 48 megabytes). MACE ignores any assign (maxjnem, n ) commands 
that might be in the input file. Such commands are used by Otter only. 

-x This is a special-purpose constraint designed to reduce isomorphism in quasigroup prob- 
lems. It applies only to binary function f . See jH]. 

-h This tells MACE to print a summary of these command-line options. 
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4 Language Accepted by MACE 



MACE accepts nearly the same input as Otter. First we list the main differences from Otter; then we 
give a short review of Otter's language. 

4.1 Differences from Otter's Language 

1 . MACE does not accept function symbols with arity greater than three or relation symbols with 
arity greater than four. 

2. MACE does not allow symbols with different arities, for example, f ( f , x) . 

3. MACE does not allow a symbol to be used as both a relation symbol and a function symbol. 

4. MACE ignores answer literals. In fact, MACE removes all answer literals before it starts looking 
for models. 

5. The natural numbers 0,1,2, ... are ordinary constants to Otter, but they have special mean- 
ings to MACE. In particular, MACE interprets them as elements of the domain. If you ask MACE 
to look for a model of size n, and there are constants > n in the input, MACE will get confused 
and quit with an error message. 

6. On the other hand, the evaluable ("dollar") functions and relations, for example $SUM and $LT, 
have special meanings to Otter, but they are treated by MACE as ordinary symbols. As a result, 
an input file containing evaluable symbols can produce both a refutation with Otter and a model 
with MACE. Here is an example. 



set (hyper_res) . 
list (sos) . 

-P (x) | P ($SUM (x, x) ) . 

P (1) • 

-P (2) . 
end_of_list . 



4.2 A Quick Review of the Language Otter Accepts 

See the Otter manual ^ for a thorough description of the language. 

Clauses vs. Formulas. You can use either clauses or formulas. (Most people use clauses. If you use 
formulas, they are immediately translated to clauses.) Here are some corresponding examples. 

list (usable) . % 

-P (x) | -Q(x) | R(x) . 

-P (x) | -Q(x) | S (x) . 

f (e, x) = x . 

f (g (x) , x) = e . 
end_of_list . 
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formula_list (usable ) . % 

all x (P(x) & Q(x) -> R(x) & S(x) 
exists e ((all x (f(e,x) = x) ) & 
(all x exists y (f(y,x) 

end of list. 



Variables vs. Constants in Clauses. Clauses do not have explicit quantifiers, so we need a rule to 
distinguish variables from constants. The default rule is that symbols starting with u through z are 
variables. If the command set (prolog_style_variables ) is in effect, symbols starting with 
upper-case letters are variables. 

Equality Symbols. How do we recognize binary relations as equality relations? The default rule is 
that the symbol = and symbols matching the pattern [Ee][Qq].* are equality symbols. If the input 
contains the command set (tptp_eq) , then equal is the one and only equality symbol. 

Infix Notation. One can declare binary symbols to be infix and to have a precedence and associativity 
so that some parentheses can be omitted. Many symbols such as = and * have built-in declarations. 



5 How MACE Works 



The methods used by MACE are described in detail in [J3]] . Here is a summary. 

For a given domain size, MACE transforms the (first-order) input into an equivalent propositional 
problem. This is possible because, for a fixed finite domain, the first-order problem is decidable. The 
propositional problem is then given to a DPLL (Davis-Putnam-Loveland-Logeman) procedure. If sat- 
isfiability is detected, the propositional model is transformed into a first-order model of the original 
problem. 

Consider the following input file. 



list (usable) . 
even (a) . 

-even (x) | even ( s ( s (x) ) ) 
-even (s (a) ) . 
end of list . 



MACE first flattens the clauses into a relational form. This step involves replacing each n-ary function 
with an n + 1-ary relation. MACE's output for this example contains something like 

Processing clause: -a(vO) I even(vO). 

Processing clause: -s(vO,vl) | -s(vl,v2) | -even (vO) | even(v2) . 
Processing clause: -a(vO) I -s(vO,vl) | -even(vl). 



If we ask for models of size 3, MACE generates propositional clauses corresponding to all instances of 
the transformed clauses over the set {0,1,2}. The output also contains the statements 
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Function s/2 well-defined and closed. 
Function a/1 well-defined and closed. 



which indicate that MACE has generated propositional clauses asserting that the new n + 1-ary rela- 
tions are functions. The DPLL procedure finds a model of the set of propositional clauses, and the 
propositional model is transformed into the following first-order model. 

a: 2 even: 12 s: 12 



TFT 001 



Scalability. Unfortunately, this method does not scale well as the domain increases or as the size of 
clauses increases. Consider a distributivity axiom, x * (y + z) = (x + y) * (x + z). The transformation 
to relational form produces the following two clauses. 

-+(v0,vl,v2) -+(v0,v3,v4) -*(v4,v2,v5) -+(v3,vl,v6) *(v0,v6,v5) 
-+(v0,vl,v2) -+(v0,v3,v4) *(v4,v2,v5) -+(v3,vl,v6) -*(v0,v6,v5) 

For a domain of 6, each of these (7-variable) clauses produces 6 7 = 279, 936 propositional clauses. 
MACE can usually handle this many clauses, but it's hard to fight exponential behavior. The program 



SEM [11] is usually better than MACE for large clauses or large domains. 



6 Differences from Previous Versions 

Major changes from earlier versions of MACE are listed here. 

1. Previous versions of MACE called Otter to parse the input and to produce an intermediate form 
that was given to a program named ANLDP. MACE 2.0 is self-contained, making it easier to 
install and run. 

2. Previous versions of MACE worked for a fixed domain size, and there was a separate script 
(mace-loop) to iterate through domain sizes and calling MACE. 

3. Previous versions of MACE used Otter's passive list for constraints (assignments and proper- 
ties). MACE 2.0 uses the new list mace.constraints for that purpose; clauses in passive 
are now taken as part of the theory. 

4. MACE 2.0 allows answer literals in the clauses. (Answer literals are removed by MACE before 
the search for models.) 

5. Previous versions of MACE could handle sorted logic (with disjoint domains). MACE 2.0 cannot. 
Most of the code for sorted logic is still in place, so it is possible that future versions will handle 
sorted logic. 

Sorted logic can sharply cut down the search time. Consider a domain of size 12 that can be 
partitioned into 8 and 4. A 2-variable relational clause, with one variable for each sort, produces 
144 propositional clauses with unsorted logic and 32 clauses in the sorted case. Let us know if 
you need sorted logic. 
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6. Previous versions of MACE had a checkpointing feature whereby the state of the search was 
periodically backed up to a file, and the search could be resumed from one of those states. MACE 
2.0 does not have this feature. 

7 Calling MACE From Other Programs 

MACE returns an exit code when it terminates. This makes it convenient to call MACE from other 
programs. Here is a list of MACE's exit codes. (This list changes from time to time; the current list can 
be found in the source file Mace . h.) 

11 (ABEND_EXIT) This usually indicates an error in the input (not all input errors are covered by 
INPUT_ERROR_EXIT below). Occasionally it is caused by a bug in MACE. When you get this 
exit code, look in the output for an error message. 

12 (UNSATISFIABLE_EXIT) MACE completed its search and determined that no models exist 
within the given domain size(s) and other constraints. It does not mean that the input clauses are 
unsatisfiable. 

13 (MAX_SECONDS_EXIT) MACE terminated because of the time limit given on command line 
(with -t). 

14 (MAX_MEM_EXIT) MACE terminated because of the memory limit given on the command line 
(with -k). 

1 5 (MAX_MODELS_EXIT ) MACE terminated because it found the number of models requested on 
the command line (with -m). 

16 ( ALL_MODELS_EXIT ) MACE completed its search and found all models (at least one) within 
the given constraints. 

17 (SIGINT_EXIT) MACE terminated because it received the interrupt signal . 

18 (SEGV_EXIT) MACE crashed. 

19 (INPUT_ERROR_EXIT) Errors were found in the input. The output file should point to the 
error(s). 

Say we have a list of equations containing a binary function symbol f , and we wish to remove the 
equations that have a noncommutative model of size < 4. If we put the equations in a file, with one 
equation on each line, for example, 



f (f (x,f (f (z,x) , 


x) ),f (z,f (y,x) ) 


= z . 


f (f (f (x,f (z,x) ) 


, x) , f (z, f (y, x) ) 


= z . 


f (f (f (f (y,x),z) 


, x) , f (f (u, y) , x) 


= X . 


f (f (f (f (y,x) ,z) 


, x) , f (f (y, u) , x) 


= X . 



we can write a simple program to loop through the equations, calling MACE for each and printing those 
that have no noncommutative models of size < 4. Here is an example Perl program that does the job. 
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# ! /usr/local/bin/perl5 

$maoe = " /home/mocune/bin-linux/mace" ; # MACE binary 
$unsatisf iable_exit = 12; # exit code of interest 
$input = "/tmp/mace$$"; # temporary input file 

while ($equation = <STDIN>) { 

open(FH, ">$input") I | die "Cannot open file $input"; 

print FH "list (usable) . $equation f ( 0, 1 ) ! =f ( 1 , ) . end_of_list . \n" ; 

close (FH) ; 

$rc = system (" $mace -N4 < $input > /dev/null 2> /dev/null"); 
$rc = $rc / 256; # This gets the actual exit code, 
if ($rc == $unsatisf iable_exit ) { print $equation; } 

} 

system (" /bin/rm $input"); 



If our data file is named identities and our Perl script is named commute 4 _f ilter, then the 
command 

g, 
o 

will remove two of the four equations within a few seconds. 

8 The ANLDP Prepositional Decision Procedure 

If you have a propositional (SAT) problem in conjunctive normal form, you can call MACE's DPLL 
procedure directly with the program ANLDP. ANLDP is included in the MACE distribution package. 

Input to ANLDP is a sequence of integers (no comments are allowed). The propositional variables 
are 1 , 2 , 3 , ... . Positive integers are positive literals, negative integers are negative literals, and 
marks the ends of clauses. For example, here is an (unsatisfiable) input consisting of four 2-literal 
clauses. 

12 
1-2 
-12 
-1 -2 

The command-line options of ANLDP are a subset of MACE's: 

-p (Lower case.) This tells ANLDP to print models as they are found. 

-m n This tells ANLDP to stop after finding n models. The default is 1 . 

-t n This tells ANLDP to stop after about n seconds. The default is unlimited. 

-k n This tells ANLDP to stop if it tries to allocate more than n kilobytes of memory. The 
default is 48000 (about 48 megabytes). 
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- s This tells ANLDP to perform unit subsumption as it searches. (Unit subsumption is always 
performed on the input.) When ANLDP gets a new unit (by splitting or by unit propaga- 
tion), two operations are ordinarily performed: (1) unit resolution, to remove complemen- 
tary literals from all clauses, and (2) unit subsumption, to mark as subsumed all clauses 
containing the unit as a literal. Because of our data structures, unit subsumption nearly 
always costs more time than it saves. But this option allows you to use unit subsumption if 
you wish. 

ANLDP is an implementation of the Davis-Putnam-Loveland-Logeman procedure. Efficient data 
structures and algorithms are used, but the procedure is otherwise standard. When the time comes to 
select the next propositional variable for splitting, ANLDP simply takes the first variable of the first 
shortest positive clause. Details of the implementation can be found in [[J. 
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